"Finding n3ro" Walk Through

Walkthrough of “Finding n3ro”

Introduction

o “Finding n3ro” is a challenge created by KPMG UK for

Security B-Sides London 2012

Part 1Website

<a href="mailto:finding.n3ro@gmail.com?subject=Challenge 7: Finding N3ro... ">mail to finding.n3ro</a>

Part 1Email which I sent to finding.n3ro@gmail.com

I like to hang out on Google Groups…

Part 1Google Groups search

Part 1Result found!

Part 1

http://groups.google.com/group/n3ro-tech-talk/msg/e8c3ed172eb21d2b

Random ASCII characters..?

Part 1

Possibly Base64 encoded?

Part 1Cleaning up the encoded string

Part 1Converting from Base64 ASCII to binary

Part 1Dumping the binary in hex form..

Part 1Looks to be a MS Word document..

Part 1Contents of said document

Part 1Properties of said document

Part 2 of Finding N3ro

can be downloaded

here: http://finding-

n3ro.net/01efaa15a2bn3ro.net/01efaa15a2b

90d65fefa472cd00f6a4

f/N3rosVM.zip;

Part 1Contents of zip file

Part 1 (Solved)Contents of text file inside zip file.. And a pointer to Part 2

Part 2

Part 2Contents of yet another text file

Port Knocking: An Introduction

o A method of externally opening ports by generating a

connection attempt on a set of prespecified closed ports

o Once a correct sequence is received, firewall rules are

dynamically modified to allow the host which sent the sequence dynamically modified to allow the host which sent the sequence

to connect over specific port(s)

o Primary purpose is to prevent an attacker from scanning a

system for potentially exploitable services by doing a port scan

Source: http://en.wikipedia.org/wiki/Port_knocking

Part 2

• TCP ports Finger,NTP,HTTPS,DNS,RDP,FTP,Oracle

Listener,Kerberos,SSH,HTTP (and in that order too...)

Port knocking continued..

Finger 79

NTP 123

HTTPS 443HTTPS 443

DNS 53

RDP 3389

FTP 21

Oracle Listener 1521

Kerberos 88

SSH 22

HTTP 80

Part 2Before knocking…

Part 2knock.exe 192.168.56.101 79 123 443 53 3389 21 1521 88 22 80 -v

Part 2 (Solved)An accessible webpage!

Part 3SQL Injection

http://192.168.56.101/reshow.php?id=-1+or+1%3D1

All you need is /usr/share/mysql/n3ro.part4

Part 3Testing UNION SELECT injection..

Part 3Preparing the injection..

/usr/share/mysql/n3ro.part4 == 0x2f7573722f73686172652f6d7973716c2f6e33726f2e7061727434

Part 3 (Solved)SQL Injection II

User: n3ro

http://192.168.56.101/reshow.php?id=-

1%20UNION%20SELECT%201,LOAD_FILE(0x2f7573722f73686172652f6d7973716c2f6e33726f2e706172

7434),3

User: n3ro

Password: KPMG_is_Hiring!

Part 4

• Tried a lot of methods to get root, including

• Sudo

• n3ro not in /etc/sudoers

• Java atomic reference

Returned shell with n3ro privs

• Returned shell with n3ro privs

• PHP load_file/get_file_contents

• Permissions error

• Some other Linux kernel privilege escalation exploit

• Kernel has been updated

Part 4 Method 1Peeking at crontab

Part 4 Method 1Looking at /etc/1min.sh

In summary, 1min.sh is executed every one minute by crontab, is owned by

root, executed in the context of root, and is world-writable

Part 4 Method 1Exploiting…

Part 4 Method 1 (Solved)Wait a minute…

Part 4 Method 2man pkexec

Part 4 Method 2Using pkexec..

Part 4 Method 2 (Solved)Using pkexec..

Part 5

• ubuntu$ cd /Desktop/android-sdk-linux/tools

• ubuntu$ ./android avd

Android Virtual Device

Part 5

• ubuntu$ ./adb devices

• ubuntu$ ./adb –s emulator-5554 shell

Connecting to AVD via terminal

Part 5 Method 1

• Location of apk: /data/app/com.bsides.hackme-1.apk

• ubuntu$ ./adb pull /data/app/com.bsides.hackme-1.apk

Pulling the apk, and then converting apk to jar

Part 5 Method 1 (Solved)Decompiled jar file

localAlertDialog.setMessage(“You can open /home/n3ro/21332esw.zip with

password: KPMG-Cyber-Security”);

Part 5 Method 2

• droid# pwd

• droid# cd /data/data/com.bsides.hackme/databases

• droid# ls

• PasswordReaderdb

• droid# sqlite3 PasswordReaderdb

• sqlite3> .tables

• android_metadata userCred

Connecting to the database

• android_metadata userCred

• sqlite3> .dump userCred

Part 5 Method 2Getting the hash

Part 5 Method 2Googling the hash

md5(“password14”) = 8ee736784ce419bd16554ed5677ff35b

Part 5 Method 2 (Solved)Connecting to the database

Part 6Getting the instructions

Part 6What is Volatility?

Part 6Using Volatility to retrieve password hashes in memory dump file

n3ro:1011:90e0328fd51e9347f68b27ea95cd8bb2:7fa21bbd95d9f220b3f651cf8405a91b

Part 6 (Solved)Rainbow tables was used to decrypt the hash

Password: KPMGisH1r1ng

Part 7Using the password to decrypt the zip file..

Part 7Our favourite packet analysis software

Part 7Retrieving objects from packet data

Part 7Contents of file “p1”

Part 7Contents of file “part7.c”

Part 7Directory listing of files

Being too lazy to install a C compiler…

Part 7 (Solved)Contents of output joined file

Part 8Files involved

Part 8unlock.mp3

Part 8Deciphering morse code

Part 8Last password?

THEFINAL

PASSWORD

TOUNLOCKTOUNLOCK

LKNH8732DWQ12SSW14FT

Part 8Extracting our prize…

Part 8 (Solved)Picture of n3ro (presumably)

MiscellaneousMaintaining access

MiscellaneousSome interesting stuff

"Finding n3ro" Walk Through

Documents

Indoor Environmental Quality · Participants of a walk-through team 2. The task of a walk-through team 3. General walk-through areas in the process 4. The IEQ Coordinator 5. The Walk-Through

Ffv Walk Through

Overview. The purpose of the walk- through process The timeline for the walk- through process The look-fors in the walk- through process

Limbo Walk Through

Enrollment walk through

SOT Walk Through

Final Walk Through

Mafia Walk Through

Walk Through Toronto

Finding the best evidence 1. Walk through one 2. Do own searches

Finding and Re-Finding Through Personalization

Tower Walk Through

Walk Through Atlantis

Walk through Frankfurt

Classroom Walk-Through

Supporting Finding and Re-Finding Through Personalization

Bedgebury Walk - Walk Through Time

Suikoden Walk Through)

Mahara Walk Through

Walk Through Wednesday